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Executive  Summary 

FASTER  (Fault  Tolerant  Architecture  Simulation  Tool  for  Evaluating  Reliability)  provides 
a  flexible  method  for  simulation  of  complex  reconfigurable  systems  subject  to  different 
mission  phases.  This  report  describes  the  following:  1)  Method  of  representation  for 
complex  systems,  2)  Editors  used  to  enter  system  representation,  3)  FASTER  simulation 
method  and  4)  Examples. 

FASTER  was  developed  to  describe  complex  systems  which  can  not  be  easily  addressed 
with  analytical  techniques.  The  unique  features  of  FASTER  are  the  method  of  represen¬ 
tation  and  the  constraint  directed  editor. 

FASTER  is  written  in  FORTRAN  and  can  run  on  a  VAX  series  computer. 
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1  Introduction 


This  report  describes  technical  features  of  the  FASTER  simulation  package.  The  concepts 
used  in  the  design  of  FASTER  are  discussed.  Also,  because  FASTER  deals  with  complex 
reconfigurable  systems,  a  method  and  approach  for  effective  system  representation  is  pre¬ 
sented.  This  representation  method  is  needed  because  more  traditional  methods  such  as 
analytical  techniques  which  combine  subsystem  MTBFs  to  obtain  an  overall  MTBF  (or 
combine  other  quantities  such  as  availability  or  reliability)  are  not  able  to  easily  deal  with 
complex  reconfigurable  systems.  A  clear  understanding  of  this  representation  method  is 
needed  to  properly  use  FASTER. 

The  report  is  divided  into  the  following  sections: 

2.0  Representation  of  Complex  Reconfigurable  Systems 


3.0  Constraint  Directed  Editor 


4.0  FASTER  Engine 


5.0  Modeling  Capabilities- Examples 

Each  of  the  above  sections  provide  background  for  the  FASTER  user.  Further  details  and 
examples  on  how  to  use  FASTER  are  provided  in  the  FASTER  User’s  Guide. 


2  Representation  of  Complex  Reconfigurable  Systems 


Existing  methods  for  computing  reliability  characteristics  of  fault  tolerance  systems  are 
effective  for  simple  systems.  There  are  analytical  techniques  for  computing  failure  rates  of 
simple  series  and  parallel  systems.  However,  when  the  system  can  reconfigure  by  changing 
its  internal  state  or  use  of  reallocation  of  resources,  the  analytical  methods  quickly  become 
overly  complex  and  almost  impossible  to  solve  in  closed  form.  Furthermore,  complex 
systems  performance  is  typically  dependent  on  the  mission.  The  ability  of  the  system  to 
successfully  complete  its  mission  is  the  important  question  instead  of  what  is  the  failure 
rate. 


4 


2.1  Need  for  a  Mission  Level  Simulation 


For  a  complex  system  which  can  adapt  in  response  to  internal  failures,  the  important 
question  is: 

Can  the  system  complete  its  intended  mission? 

This  is  in  contrast  to  the  normal  measures  (such  as  failure  rates)  which  are  used  for  simple 
systems.  For  this  reason,  the  environment  (or  mission)  of  the  complex  system  needs  to  be 
described.  Many  missions  place  time  dependent  loads  or  demands  on  the  system.  This 
has  two  effects: 

1.  Stress  levels  placed  upon  the  system  change. 

2.  System  performance  requirements  change. 

Both  of  these  effects  must  be  considered  in  the  evaluation  of  complex  systems.  Different 
stress  levels  change  the  MTBF  of  various  subsystems  and  cause  failures  to  be  correlated 
with  different  mission  phases.  Time  varying  requirements  imposed  by  the  mission  require 
different  levels  of  system  availability.  For  these  reasons,  the  FASTER  system  has  a  “mis¬ 
sion  block”  which  is  used  to  specify  time  dependent  scenarios  which  “drive”  the  system 
simulation. 

The  mission  block  can  be  used  to  represent  times  when  certain  resources  are  needed.  Also, 
the  mission  defines  what  function  the  system  must  conduct.  The  success  of  the  system  is 
dependent  on  the  coincidence  of  having  the  right  resource  at  the  right  time.  If  resources 
are  unavailable  during  periods  when  they  are  not  needed,  then  the  mission  may  still  be 
successful. 


2.2  System  Representation 

Complex  systems  are  composed  of  multiple  interacting  subsystems.  The  interaction  be¬ 
tween  subsystems  determines  how  the  overall  system  functions.  Also,  complex  systems, 
subject  to  failure  and  other  changes  in  condition,  must  be  described  by  a  dynamic  process. 
At  any  'astant  in  time,  the  system  can  be  described  by  a  state.  The  overall  state  of  the 
system  is  a  function  of  the  states  (or  modes)  of  the  subsystems.  The  mode  of  a  subsystem 
determines  its  ability  to  function.  For  example,  if  a  subsystem  is  in  a  failure  state,  the 
subsystem  “output”  may  not  have  the  desired  responses  to  other  systems  “input” .  Other 
subsystems  may  not  be  able  to  perform  their  function  because  of  the  interaction  with  the 
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failed  subsystem.  That  is,  subsystems  which  have  not  failed  may  still  not  be  operational 
because  they  do  not  have  the  required  inputs. 

To  deal  with  subsystem  interactions  and  effects  of  different  subsystem  modes,  FASTER 
represents  complex  systems  by  using  a  state  transition  diagram  and  high  level  “functional” 
transfer  functions  associated  with  each  node  (or  state  or  mode)  in  the  state  transition 
diagram.  Figure  1  shows  how  a  system  is  represented  as  a  set  of  interconnected  subsystems. 
Note  that  each  subsystem  has  a  mode  and  each  mode  has  an  associated  functional  transfer 
function.  The  combination  of  state  transitions  and  functional  transfer  functions  form  the 
basic  unit  of  subsystem  representation  in  FASTER.  This  type  of  subsystem  is  referred  to 
as  a  primitive. 

A  complex  system  can  be  composed  of  many  primitives  which  interact  through  connections 
or  interfaces. 

The  above  representation  method  was  chosen  to  allow  FASTER  to  describe  complex  re- 
configurable  system  behavior;  some  features  of  this  representation  are: 

1.  The  number  of  system  modes  is  given  by  a  product  of  the  numbers  of  subsystem 
modes.  This  makes  it  impractical  to  construct  an  overall  system  state  diagram  in 
many  cases.  The  FASTER  representation  method  allows  the  user  to  partition  the 
system  into  interacting  subsystems.  An  overall  state  transition  diagram  is  not  entered 
by  the  user,  instead,  state  transition  diagrams  for  each  subsystem  are  entered.  For 
a  system  composed  of  10  subsystems  having  5  modes/subsystems  an  overall  state 
diagram  would  have  5**10  modes  because  of  combinatorial  effects.  However,  if  5 
diagrams  with  10  modes  each  are  used  to  represent  the  system,  the  user  only  needs 
enter  50  modes  each  instead  of  one  diagram  with  9,765,625  modes  which  would  be 
required  if  one  transition  diagram  was  used  to  describe  the  system. 

2.  The  use  of  “functional”  transfer  functions  allows  the  interactions  between  subsys¬ 
tems  to  be  described  in  terms  of  input  resources  and  output  resources.  Subsystems 
may  not  be  able  to  perform  their  function  if  they  do  not  receive  the  proper  input 
resources  from  other  subsystems.  This  feature  allows  a  “richer”  description  of  sub¬ 
system  interoperability  and  a  relation  to  a  mission  scenario. 

3.  The  description  allows  “feedback”  from  one  system  to  another.  Feedback  is  required 
if  a  system  is  self  reconfigurable.  Also  FASTER  can  account  for  the  effect  of  imperfect 
Built-in-Test  (BIT)  and  switching.  Certain  primitives  which  act  as  monitors  (BIT) 
and  control  switches  can  be  defined  and  used  to  describe  reconfigurable  systems. 
Feedback  is  involved  when  monitor  output  is  used  to  cause  reconfiguration. 
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REPRESENTATION 


Each  subsystem  has  a  mode  graph  and  each  mode  in 
the  mode  graph  has  a  functional  transfer  function. 


Figure  1:  FASTER  Representation 
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4.  Unlike  the  analytical  approach,  a  FASTER  model  closely  relates  to  the  systems  being 
simulated.  This  makes  it  easier  for  the  user  to  understand  the  modeling  process  and 
see  how  the  relationships  between  subsystems  impact  overall  system  performance. 

The  representation  method  requires  a  system  engineering  approach.  To  use  FASTER 
properly,  the  interactions  between  subsystems  must  be  understood  by  the  FASTER  user. 
The  FASTER  editors  allow  users  to  define  primitives  and  describe  subsystem  interactions 
without  using  a  specialized  computer  language.  Figure  2  is  an  illustration  of  the  types  of 
data  needed  in  a  FASTER  simulation.  A  brief  description  of  the  data  is  presented  in  figure 
2.  Further  details  can  be  obtained  from  the  users  guide  as  well  as  in  section  5. 

2.3  System  Performance  Measures 

Traditional  measures  used  include  Mean  Time  Between  Failure  (MTBF),  Mean  Time  Be¬ 
tween  Critical  Failure  (MTBCF),  Mean  Time  to  Repair  (MTTR),  availability  and  reliabil¬ 
ity.  In  a  simple  system  only  one  value  for  each  of  the  above  measures  is  needed.  However, 
for  complex  systems,  there  may  be  several  numbers  or  values  which  relate  to  each  of  the 
above  measures.  For  example  a  complex  system  which  performs  multiple  functions  may 
have  a  MTBCF  for  each  function.  Furthermore,  each  of  the  above  measures  must  be 
extended  or  generalized.  For  example,  MTBF,  MTBCF  and  MTTR  can  be  extended  to 
Mean  Time  Between  Transition.  This  extension  is  required  because  there  may  be  several 
failure  modes  involved  in  a  complex  system.  In  some  cases,  the  meaning  of  “failure”  must 
be  defined.  For  a  complex  system,  the  failure  of  subcomponents  is  not  the  prime  quantity 
of  interest.  Instead,  the  quantity  of  interest  is  the  failure  of  the  system  to  perform  mission 
objectives.  Individual  subcomponent  failures  may  still  be  of  interest  to  system  designers 
who  must  determine  the  required  redundancy. 

For  highly  complex  systems,  the  user  can  use  the  “test  probe”  approach  to  obtain  statistics 
for  only  selected  subsystems.  This  “test  probe”  approach  is  needed  in  order  to  control  the 
amount  of  data  generated.  Figure  3  shows  an  example  of  FASTER  output.  The  first 
part  of  the  output  is  a  list  of  the  selected  subsystems,  transition  types,  and  transition 
specifications.  There  are  several  transition  types.  Failure  is  only  one  kind  of  transition 
other  types  include  delay/warm  up,  and  control. 

The  next  part  of  the  output  gives  the  following: 

Average  time  in  mode  Availability 

Standard  Deviattion  Unavailability 

Number  of  non-zero-runs  Reliability 
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1.  Number  of  Modes 

2.  Number  of  Transitions 

3.  Transition  list  (type,  from  mode,  to  mode) 

•  Failure  rate-failures/unit  time 

•  Delay  time-transition  time  delay 

•  Control  source-input  number  which  drives  control  tran¬ 
sition 

4.  Transfer  functions  defined  for  each  mode: 

•  Number  of  subprimitives 

•  Connection  list-defines  how  subprimitives  are  connected 

•  Parameter  and  limit  values-numeric  values  for  subprimi¬ 
tives 


Figure  2:  Data  Which  is  Used  in  FASTER  Primitives 
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Kxnrnplr  FASTER  Output 


The  operational  state  of  the  system  can  be  defined  by  using  “and”  and  “or”  primitives, 
and  a  timer  probe.  The  timer  probe  has  two  modes  which  can  represent  system  up  or 
system  down.  The  availability  of  a  given  mode  is  the  fraction  of  time  that  the  system  is  in 
the  mode  during  the  mission.  If  the  mode  corresponds  to  an  operational  condition  of  the 
system,  then  it  can  be  interpreted  as  system  availability. 

To  compute  reliability,  the  actual  mission  length  must  be  used  as  the  run  time.  The 
reliability  is  then  given  by  number  of  missions  without  a  critical  failure/number  of  runs. 
The  FASTER  output  computes  this  quantity.  Examples  in  section  5  show  how  to  interprete 
the  FASTER  output  to  obtain  reliability. 

To  obtain  MTBF  and  MTBCF,  the  mean  time  between  transition  (MTBT)  values  are 
used.  In  cases  when  the  transition  represents  a  loss  of  a  critical  system  function,  MTBF  is 
actually  the  MTBCF.  Since  the  system  may  have  multiple  functions,  many  MTBT  values 
are  obtained.  The  user  must,  therefore,  define  which  transition  represents  critical  failures. 
To  define  a  single  MTBCF,  a  timer  block  which  monitors  a  set  of  “or”  blocks  which,  in 
turn,  detect  any  critical  failure  is  used. 


II 


3  Constraint  Directed  Editor 


The  editors  in  FASTER  are  used  to  obtain  the  data  which  defines  the  simulation.  To 
manage  this  process,  the  editors  are  set  up  to  present  displays  to  the  user  which  define  or 
indicate  what  type  of  information  is  needed.  The  specification  process  is  interactive  and 
dynamic.  As  the  process  unfolds,  the  “needed  information”  requirements  change  or  can  be 
further  identified.  For  example,  the  user  first  specifies  a  set  of  subcomponents  and  from  this 
list  of  subcomponents,  the  editor  determines  the  interfacing  requirements  and  generates 
a  display  which  indicates  the  data  needed  to  “wire  up”  the  subcomponents.  Also,  the 
editor  identifies  if  any  parametric  information  is  needed  by  examining  the  subcomponents 
in  the  user  specified  list.  The  user  interacts  with  the  editor  by  supplying  the  requested 
information.  In  some  cases,  satisfaction  of  one  prompt  may  result  in  the  generation  of 
secondary  prompts. 

This  approach  leads  to  a  simplified  specification  process.  The  user  responds  to  the  editors 
prompts  until  the  editor  has  no  more  questions.  Then  the  specification  is  complete.  In  a 
traditional  specification  language,  the  user  can  make  errors  of  omission.  However,  the  in¬ 
teractive  process  used  by  the  FASTER  editors  prevents  this.  The  user  can  then  concentrate 
on  creating  realistic  simulations  instead  of  the  syntax  of  a  specification  language. 

There  are  two  major  editors  in  FASTER  which  are  used  to  define  the  simulation.  These 
are  the  “primitive  editor”  and  the  “top  level  editor”. 

The  primitive  editor  is  used  to  define  FASTER  primitives  which  represent  the  subcompo¬ 
nents  of  the  system  being  simulated. 

These  basic  subcomponents  (referred  to  as  primitives)  consist  of  a  state  (or  mode)  transi¬ 
tion  diagram  and  a  functional  transfer  function  associated  with  each  state  or  mode  in  the 
transition  diagram.  Below  is  a  summary  of  the  information  contained  in  a  primitive: 

1.  Names  of  each  state  or  mode  in  the  state  transition  diagram. 

2.  Exit  conditions  for  each  state  in  the  transition  diagram  (failures,  control  line,  warmup, 
etc.). 

3.  Functional  transfer  functions  for  each  state  in  the  transition  diagram. 

The  primitive  editor  obtains  this  information  from  the  user.  For  “exit  conditions”,  the 
primitive  editor  requests  appropriate  information  which  is  dependent  on  the  specific  exit 
condition  selected.  For  example,  if  the  exit  condition  is  a  “failure”,  the  editor  requests 
which  failure  equation  is  to  be  used.  If  a  constant  failure  is  selected,  the  editor  then 
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requests  a  single  number  relating  to  the  MTBF.  If  a  non-constant  distribution  is  used,  the 
editor  will  prompt  the  user  for  a  set  of  numbers  which  represent  the  distribution  of  failures. 
Thus,  the  editor  guides  the  user  by  identifying  what  type  of  information  is  needed. 

The  primitive  editor  also  requires  that  the  user  describe  a  transfer  function  for  each  mode 
in  the  graph.  A  transfer  function  is  formed  by  selecting  a  set  of  operators  from  a  list 
of  simple  logic  and  threshold  functions.  To  assist  the  user,  the  primitive  editor  prompts 
the  user  for  connection  data  which  describes  how  to  combine  the  selected  elements.  The 
resulting  primitives  are  stored  on  a  disk  file  for  later  use  by  the  high  level  editor.  An 
example  of  the  operation  of  the  primitive  editor  is  presented  in  the  users  guide. 

FASTER  also  has  a  mission  editor  which  is  used  to  define  a  scenario  or  mission  for  the 
system  being  simulated.  The  user  specifies  the  “external”  inputs  to  the  system  being 
simulated.  Examples  of  external  inputs  are  control  inputs  (which  turn  the  system  on  and 
off)  and  mission  load. 

The  “Top  Level  Editor”  is  used  to  combine  primitives  together  to  form  the  system  to  be 
simulated.  In  a  fashion  similar  to  the  primitive  editor,  it  generates  displays  which  indicate 
what  information  or  inputs  are  to  be  supplied  to  the  user.  This  information  deals  with 
connections  and  interfacing  the  primitives  together. 


4  FASTER  Simulation  Function 


The  FASTER  Simulation  Function  is  shown  in  Figure  4.  The  heart  of  the  simulation  is  the 
function  called  the  FASTER  Engine.  Because  this  function  is  best  understood  in  terms  of 
a  virtual  machine,  it  will  be  referred  to  as  the  FASTER  Engine.  Section  4.1  describes  the 
FASTER  Engine  in  detail. 

The  other  functions  shown  in  Figure  4  are  used  for  set  up  and  control  of  the  FASTER 
Engine.  Since  FASTER  does  Monte  Carlo  simulations,  the  number  of  runs  through  a 
mission  must  be  specified.  The  initialization  function  obtains  this  information  from  the 
user.  Also,  the  initialization  function  must  obtain  from  the  user  the  file  name  of  a  file  which 
defines  the  “program”  for  the  Engine.  Furthermore,  it  must  “down  load”  the  program. 
This  down  loading  process  is  referred  to  as  “building  the  internal  representation”. 

At  this  point,  the  Engine  is  ready  to  simulate.  The  simulation  control  function  causes 
the  engine  to  carry  out  the  specified  number  of  simulation  runs.  Each  run  corresponds  to 
one  mission  period.  At  the  end  of  the  run,  the  engine  must  be  restored  to  the  “start  of 
mission”  initial  condition.  Also,  run  summary  information  may  be  recorded.  To  carry  out 

these  tasks,  the  simulation  control  function  uses  functions  called  “run  set  up”  and  “copy 

initial  conditions".  ' 
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Figure  4:  FASTER  Simulation  Function 


4.1  FASTER  Engine 

This  section  describes  the  FASTER  Engine.  The  set  up  and  control  functions  involved  to 
initialize  the  Engine  and  carry  out  a  number  of  Monte  Carlo  runs  were  discussed  at  a  high 
level  in  the  previous  section.  The  following  paragraph  describes  how  the  FASTER  Engine 
can  be  viewed  as  a  virtual  machine.  Comparisons  between  a  standard  processor  and  the 
FASTER  Engine  are  made.  The  approach  used  in  the  FASTER  Engine  was  selected  in 
order  to  achieve  the  flexibility  needed  in  modeling  complex  reconfigurable  systems.  This 
design  permits  an  object  oriented  approach  that  permits  more  complex  representations  of 
behavior  to  be  easily  added  to  the  FASTER  system. 

The  FASTER  Engine  is  best  viewed  as  a  virtual  machine  which  executes  a  program  gen¬ 
erated  by  the  FASTER  Editor.  The  program  for  the  FASTER  Engine  consists  of  a  data 
structure  which  specifies  operators  and  addresses.  Details  of  this  data  structure  are  shown 
in  Figure  5.  However,  unlike  the  programs  for  existing  computers,  the  operators  and  ad¬ 
dresses  used  in  FASTER  are  high  level  and  relate  directly  to  the  problem  domain.  For 
example,  some  of  the  operators  in  FASTER  are: 

•  Generate  next  failure  event 

•  Generate  repair  event 

•  Evaluate  transfer  function 

Figure  6  is  an  overview  of  the  FASTER  engine.  Each  operation  in  the  FASTER  engine  is 
represented  by  FORTRAN  code.  This  code  is  considered  as  part  of  the  engine.  The  specific 
models  defined  by  the  user  set  up  the  data  structure  shown  in  Figure  5  which  controls  how 
the  FORTRAN  modules  representing  the  various  high  level  operators  are  executed. 

The  FASTER  Engine  is  similar,  in  concept,  to  a  standard  processor.  Note,  however, 
that  the  FASTER  Engine  instructions  represent  considerably  more  complex  data  trans¬ 
formations  than  the  instructions  of  a  standard  processor.  In  fact,  FASTER  instructions 
(primitives)  are  as  complex  as  high  level  language  programs  containing  three  or  four  sub¬ 
routines. 

Examples  of  generic  functions  composing  a  primitive  are: 


•  predict  time  of  next  failure 


event  is  calculated 

ENTRIES  SORTED 
BY  EVENT  TIME 
AND  THEN 
INSTANCE  # 


INDEXED  BY 
INSTANCE  # 


NEWEST  EVENT  IS  EVALUATED: 

•  INSTANCE  # 

t  TIME  OF  EVENT 

•  KIND  OF  EVENT 

•  PARTICULARS,  LIKE 
NEW  MODE 


Data  for  each  Instance 

•  A  small  table  of  outputs  containing  each  output’s  current  value 

•  A  small  table  of  inputs  containing  the  instance  #  and  output  #  of  the  connected 
primitive 

•  An  encoded  description  of  the  mode  transition  diagram 

•  An  encoded  description  of  the  transfer  function  for  each  mode 

•  The  current  mode  and  statistics  for  each  mode 

•  Initial  output,  mode  and  statistical  values 


Figure  5a: 


Data  Structure  Overview 
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Figure  6:  Engine  Overview 


•  select  new  mode 


•  evaluate  output 

The  FASTER  Engine  function  is  to  control  which  instructions  (actually  Fortran  subrou¬ 
tines)  are  executed.  Execution  of  the  instruction  involves  calling  the  appropriate  generic 
functions. 

The  FASTER  Engine  instructions  (which  are  FASTER  primitives)  differ  in  an  important 
respect  from  instructions  on  a  standard  processor.  This  difference  is  that  the  FASTER 
instructions,  which  form  a  user  specified  simulation  closely  correspond  to  the  real  objects 
in  the  systems  being  simulated.  This  design  permits  an  object  oriented  approach.  Fur¬ 
thermore,  in  contrast  to  a  standard  processor  in  which  an  instruction-like  “add”  must 
have  additional  instructions  to  retrieve  and  store  data  from  memory,  the  FASTER  Engine 
does  not  specify  address  of  data  for  its  “instructions”.  Instead,  the  Engine  only  speci¬ 
fies  an  “instance”  of  an  instruction  which  corresponds  to  an  object  in  the  system  being 
simulated.  The  instance  has  all  the  information  it  needs  to  carry  out  the  required  data 
transformations.  This  includes  the  following: 

1.  List  of  input  and  output  addresses.  These  pointers  relate  to  how  the  instructions 
supply  data  to  each  other.  They  represent  connectivity. 

2.  Specification  of  which  generic  functions  to  use.  An  instruction  is  carried  out  using 
one  or  more  generic  functions. 

3.  Pointers  which  specify  data  for  the  generic  functions. 

Note  that  in  the  above,  items  1  and  3  are  both  pointers  to  data  used  by  generic  functions 
in  2.  The  difference  between  1  and  3  is  as  follows:  The  addresses  specified  in  1  represent 
the  connectivity  or  data  transfer  between  primitives  (instructions).  The  connectivity  is 
defined  by  the  user.  This  type  of  connectivity  is  directly  related  to  how  the  components 
interact.  The  data  specified  in  3  represents  instance  specific  information.  In  this  way,  a 
primitive  editor  can  be  used  to  form  new  primitives  whose  properties  can  be  varied  by 
changing  data.  Also,  to  allow  the  user  to  build  primitives,  the  primitive  editor  allows  the 
user  to  define  which  generic  functions  are  to  be  used,  as  well  as  the  data  needed. 

An  important  feature  of  the  FASTER  Engine  is  that  it  is  set  up  to  do  event  driven  sim¬ 
ulations.  The  “instructions”  or  primitives  produce  events  which  specify  a  time  value  and 
a  specific  instances  of  another  instruction.  The  Engine  stores  these  events  in  a  queue  for 
later  execution.  Thus,  in  the  FASTER  Engine,  the  instructions  invoke  (or  call)  each  other. 


The  order  of  execution  is  determined  by  the  time  values  and  the  connectivity.  Connectivity 
enters  in  if  two  events  have  the  same  time  value. 


The  FASTER  Simulation  Engine  simulates  the  reliability  behavior  of  a  complex  system. 
The  system  to  be  simulated  is  specified  by  the  FASTER  user  (using  the  FASTER  editor)  as 
a  composition  of  primitives.  The  primitives  specify  the  appropriate  high-level  operations 
and  data  which  need  to  be  evaluated.  The  primitives  interact  with  each  other  by  updating 
states,  updating  outputs,  and  triggering  actions  (also  called  events).  The  Engine  makes 
use  of  a  linked  list  event  data  structure  to  store  events,  and/or  messages.  The  Engine  reads 
the  list  to  obtain  the  next  action  or  event  which  specifies  a  primitive.  When  an  action  is 
invoked  upon  the  specified  primitive,  the  primitive  associated  procedures  are  invoked  using 
primitive  specific  data.  The  primitive  is  viewed  as  an  “object  of  data”  which  specifies: 


•  Which  procedure(s)  to  cadi  in  response  to  events  and  inputs. 

•  Primitive  specific  data  for  the  procedure(s). 


The  Simulation  Engine  calls  the  specified  procedures  in  a  time-based  sequence.  The  pro¬ 
cedures  use  the  primitive  input  data.  The  results  of  the  execution  of  procedure  are: 

•  Events  which  trigger  other  events  may  be  generated. 

•  Output  values  may  change  and  affect  input  values  of  other  blocks. 

•  The  state  of  the  primitive  may  change. 

A  change  in  a  given  primitive’s  data/state  affects  other  primitive(s),  event(s)  or  triggers 
are  generated  for  the  affected  primitive(s).  These  events  are  inserted  into  the  time  tagged 
list.  Note  that  events  must  contain  a  time  value  and  the  name  of  the  affected  primitive. 
Upon  receiving  an  event,  affected  primitives  will  examine  the  environment  (which  includes 
output  values  transmitted  along  connections)  to  determine  how  to  respond.  By  responding 
to  events  by  generating  events  for  other  primitives,  the  primitives  drive  the  simulation.  The 
process  continues  until  the  “end  of  run”  event  is  processed. 

An  event  type  is  specified  in  the  event.  The  usefulness  of  specifying  an  event  type  as  part 
of  the  event  represents  a  tradeoff  among  the  following  factors: 


•  Complexity  of  source  primitive  vs.  destination  primitive  processing  needed  to  deter¬ 
mine  event  type. 
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•  Loss  of  generality  when  event  types  can  only  make  sense  in  the  context  of  the  desti¬ 
nation  primitive  (object-oriented  approach  does  not  need  an  event  type). 

Generic  event  types  can  be  defined  (e.g.,  output  change,  internal  state  change),  and  the 
source  primitive  will  select  the  type.  The  destination  primitive  will  interpret  the  event  in 
its  own  context  using  the  event  type.  Thus,  both  source  and  destination  blocks  will  share 
in  the  task  of  determining  how  the  destination  block  will  respond. 

The  following  classes  of  generic  procedures  are  used: 

•  Control  procedure  which  determine  which  subroutines  or  functions  to  call. 

•  State  transition  graph  procedure. 

•  Failure  generator  (a  random  number  generator  and  a  parametric  function  will  use 
primitive  specific  data  to  generate  time  of  next  failure.  Also  a  branching  ratio  will 
be  used  if  multiple  mechanisms  for  failure  are  to  be  modeled). 

•  Input/output  relationship  processor  (a  generic  interpreter  will  interpret  primitive 
specific  data  in  order  to  compute  the  primitive’s  outputs  from  the  primitive’s  inputs 
(and  possibly  (in  complex  cases)  the  current  states)). 

The  above  procedures  are  considered  part  of  the  Engine.  These  procedures  use  “primitive 
specific  data”,  “state  data”,  and  “interface  data”. 

The  “primitive  specific  data”  is  associated  with  a  primitive  even  before  the  primitive  is 
used  to  form  a  composite.  The  primitive  also  has  “state  data”  and  “interface  data”.  The 
state  data  represents  the  condition  of  the  primitive  during  the  execution  of  the  simulation. 
Execution  of  the  procedures  cause  state  data  to  change.  The  interface  data  represents  how 
the  primitives  are  “hooked  up”.  The  composite  editor  obtains  the  “hook  up"  information 
from  the  user.  During  simulation  execution,  this  hook  up  (or  interfacing)  data  will  be  used 
in  a  process  to  determine  when  a  primitive  will  generate  an  event.  Also  the  target  of  the 
generated  events  is  determined  by  this  interfacing  data.  As  a  general  rule,  events  are  sent 
by  the  source  primitive  to  any  primitive  which  is  “hooked  up”  to  some  output  value  which 
was  modified  by  the  source  primitive.  Thus,  for  example,  if  primitive  A’s  output  is  hooked 
to  primitive  B’s  input,  primitive  A  sends  an  event  to  primitive  B  when  primitive  A  related 
processing  changes  the  said  output. 

The  FASTER  Engine  (execute  simulation  function)  consists  of  a  time  tagged  event  pro¬ 
cess  queue  function  and  a  select  process  function  (see  Figure  6).  The  event  Process  queue 


function  selects  the  next  event  from  the  queue.  This  event  points  to  a  specific  data  ob¬ 
ject  called  a  primitive.  The  said  primitive  data  object  contains  data  specifying  how  the 
primitive  must  respond  to  the  event.  Part  of  the  primitive  data  object  specifies  generic 
procedures  and  this  part  will  be  used  by  the  “select  process”  function  which  calls,  in  a 
data  driven  fashion,  one  or  more  of  the  generic  processing  functions.  Other  data  which 
are  used  by  the  generic  procedures  are  also  contained  in  the  primitive  data  object.  Some 
of  the  generic  processing  functions  generate  data  which  form  new  time  tagged  events.  If 
time  tagged  event  data  packets  are  formed,  the  “Add  Event”  function  is  used  to  insert 
new  events  into  the  time  tagged  queue.  Figure  7  shows  a  representation  of  this  processing 
flow.  Underlined  phrases  highlight  the  actions  carried  out  by  the  Simulation  Engine. 
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Do  Until  Time  Exceeds  End  Time 


(1)  Remove  Next  Event  from 
Event  Queue.  This  Event  will 

specify  the  data  of  interest  by  specifying 
a  pointer  to  a  specific  primitive. 

(2)  Based  on  Event  type  and  changes  in  external 
data  (input  changes  caused  by  actions 
produced  by  other  primitives)  select  which 
processes  must  be  executed. 

The  selection  process  will  be  dependent  on 
the  primitive  specific  data,  event  type, 
primitive  current  state  data,  and  interfaces 
with  other  primitives. 

(3)  Call  Specified  Processes. 

(4)  Update  time  using  value  in  the  event 

(5)  Insert  any  events  into  queue  and  remove 
any  pre-empted  events. 


End  Do 


Figure  7:  FASTER  Engine 
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5  Modeling  Capabilities  -  Examples 


To  use  FASTER,  the  system  properties  must  be  translated  into  a  representation  that  can 
define  a  FASTER  simulation.  This  section  presents  some  examples  which  illustrate  how 
this  is  done.  Each  example  is  given  in  three  parts.  The  first  part  is  a  top  level  description 
of  the  system  from  the  users  point  of  view.  The  second  part  is  a  brief  discussion  as  well 
as  a  FASTER  diagram  of  the  system.  The  third  part  is  the  FASTER  output.  Details  on 
how  to  enter  the  FASTER  diagram  are  in  the  users  guide.  The  objective  of  this  section  is 
to  show  examples  of  the  ways  systems  can  be  represented  by  FASTER. 
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Example  1:  Simple  Active  Redundancy  (Deferred  Repair).  Repair  Philosophy  -  Assume 
that  corrective  repair  is  deferred  until  a  critical  failure  occurs.  Repair  occurs  instanta¬ 
neously  at  that  time. 


X1  *  X2  *  X3  *  ,001  faf1ures/hr 


1  out  of  3  units  required  for  success 


Compute: 

1.  Mean-Time-Between-Critical- Failure  (MTBCF) 

2,  Reliability  at  time  t  =  100  Hrs  (R(100)) 
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FASTER  can  represent  the  system  in  several  ways  depending  on  user  preference.  Two 
FASTER  simulation  diagrams  are  shown  for  example  1.  The  first  diagram  closely  parallels 
,  the  system  and  was  used  to  compute  the  system  reliability.  The  reliability  at  T=100  hours 
is  the  probability  that  there  will  be  no  critical  failures  before  100  hours.  Therefore,  a 
100  hour  simulation  was  done.  To  obtain  good  statistics,  100,000  Monte  Carlo  runs  were 
requested.  The  RP  block  gives  the  number  of  critical  failures  because  it  causes  a  repair 
action  when  a  critical  failure  occurs.  Inspection  of  the  results  show  that  there  were  84 
non-zero  events  for  the  repair  process.  The  results  also  show  that  the  system  reliability  is 
0.99916. 

A  second  FASTER  diagram  was  created.  In  this  case,  each  mode  relates  to  the  number  of 
subunits  which  are  operational.  When  3  units  are  up,  the  failure  rate  is  three  times  the 
individual  rate.  As  units  fail,  the  failure  rate  out  of  the  mode  decreases.  As  in  the  previous 
case,  reliability  is  obtained  by  requesting  100  hour  missions.  In  this  case  the  reliability 
was  0.9992. 

To  compute  MTBCF,  it  is  necessary  to  run  a  simulation  with  a  very  long  mission  time 
to  assure  that  a  critical  failure  occurs  during  every  iteration.  To  obtain  the  MTBCF,  the 
same  simulation  was  run  for  a  simulated  time  of  100,000  hours.  The  repair  process  which 
repairs  the  system  when  critical  failures  occur  was  deactivated.  To  do  this,  the  input  of 
EX1UNIT  was  directly  connected  to  MEX1  so  that  no  repairs  can  occur.  A  long  mission 
time  was  requested  to  insure  that  a  critical  failure  occurs  for  each  run.  With  one  critical 
failure  per  run,  the  MTBCF  is  given  by  the  average  time  that  the  GT  block  spends  in 
mode  2.  Note  that  the  GT  block  is  a  generic  timer  which  keeps  track  of  system  mode. 
Inspection  of  the  output  shows  that  the  MTBCF  is  1840  hours. 
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SIMULATION  RESULTS 
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System  Reliability 


SIMULATION  RESULTS 
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49S3  4913  2 .  011+05  5 . 01 7000001-01  4 . 9S30000Q1-01 

10000  10000  1.001+05  0.000000001+00  1 .000000001+00 

0  0  1.001+05  1 .000000006+00  0 . 000000001+00 

10000  10000  1. 001+05  0 .000000001+00  1.000000001+00 


Example  2:  Simple  Standby  Redundancy  (Deferred  Repair).  Repair  Philosophy  -  Assume 
that  corrective  repair  is  deferred  until  a  critical  failure  occurs.  Repair  occurs  instanta¬ 
neously  at  that  time. 


X1  «  x2  *  X3  ■  *  .001  f allures/hr 


2  out  of  4  units  required  for  success 

Compute: 

1.  MTRCF 

2.  Reliability  at  time  t  Hilt  Mrs  ( R.(  M K I ) ) 


:v> 


Example  2 


Example  2  is  similar  to  example  1  except  that  there  are  4  units  and  2  out  of  4  are  required 
for  acceptable  operation.  Also  since  this  is  standby  redundancy,  the  units  are  assumed  not 
to  fail  in  the  standby  mode.  Figure  2  shows  the  FASTER  diagram  which  represents  the 
system.  A  GT  block  triggers  repair  when  the  third  failure  occurs.  To  obtain  the  system 
reliability  for  a  100  hour  mission,  100,000  runs  are  conducted.  The  resulting  reliability 
is  0.99886.  To  compute  MTBCF,  a  long  mission  (100,000  hours)  is  simulated  with  repair 
deactivated  by  connecting  EXAM2  directly  to  MEXl.  In  this  case  the  MTBCF  is  1500 
hours. 
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Example  3.  Simple  Active  Redundancy  (Immediate  Repair).  Repair  Philosophy  -  Imme¬ 
diate  concurrent  repair  is  assumed.  A  maintenance  crew  is  available  to  immediately  repair 
any  failed  resources  n<>  matter  h< >w  many  fail  during  the  same  time  period.  Repair  is 
performed  while  t  he  remaining  operating  unit  supports  the  operational  function. 


X-|  =  ^2  =  .001  failures/hr 
y-j  =  ^2  *  repairs/hr 


1  out  of  2  units  required  for  success 


Compute: 

1.  MTRf'F 

2.  System  Mean-Time-To-Kepair  (MTTR) 

3.  Steady  State  Availability 
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Example  3 

Example  3  is  a  system  for  which  repair  begins  immediately  when  a  unit  failure  occurs.  A 
non-constant  repair  time  is  used.  The  repair  process  has  an  MTTR  of  0.05  repairs/hour 
which  is  implemented  using  a  failure  transition  rate  equal  to  0.05.  Each  subsystem  has 
an  MTBF  of  1000  hoursi  The  LIB.OR  defines  the  overall  system  operation  and  the 
LIB-TIMER  keeps  track  of  the  up  time  to  compute  availability. 

The  first  run  was  for  a  100,000  hour  mission.  Results  show  the  system  availability  of 
0.99962  and  an  MTBCF  of  26,400  hours.  To  compute  the  MTTR  of  the  system,  three 
numbers  from  the  FASTER  output  are  used.  These  axe:  the  number  of  runs  (N  =  5000), 
total  number  of  failures  (NF  =  18948),  and  the  average  time  under  repair  (TR  =  37.6 
hours).  Note  that  NF  is  obtained  by  the  number  of  mode  2  to  mode  1  transitons  of 
LIB -TIMER  block  5  and  TR  is  the  average  time  LIB -TIMER  spends  in  mode  1. 

The  MTTR  is  given  by: 


MTTR  =  TR/(NF/NR) 


The  resulting  value  is  9.9  hours. 
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Example  l:  Simple  Active  Redundancy  (Scheduled  Preventive  Maintenance).  Repair  Phi¬ 
losophy  Assume  that.  corrective  repair  is  deferred  until  a  critical  failure  occurs,  repair 
occurs  instantaneously  at.  that  time,  however  scheduled  preventive  maintenance  is  con¬ 
ducted  at  regular  time  intervals.  During  each  scheduled  maintenance  action  each  unit  of 
the  system  is  repaired,  while  the  remaining  operating  units  carry  on  the  system  function. 
Tp  denotes  the  scheduled  maintenance  interval.  Every  Tp  hours  the  system  is  replenished, 
i.e.  all  failed  units  are  repaired  and  put  hack  on  line. 


*1  *  *2  *  X3  *  ,005  fa^ures/hr 

Tp  «  100  Hrs 

1  out  of  3  units  required  for  mission  success 


Computer: 

1.  MTBCF 

2.  Reliability  at  time  t  2I>0  Mr 
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Example  4 

The  FASTER  diagram  for  example  4  includes  a  mission  block  which  normally  outputs  a 
2  but  outputs  a  1  every  100  hours  to  cause  a  failure  reset  of  any  failed  U4  units.  To  set 
up  the  mission  block  to  output  a  1  every  100  hours,  the  mission  editor  is  used  to  enter  the 
data  in  the  table  which  is  on  the  figure  for  example  4.  Details  on  how  to  use  the  mission 
editor  are  in  the  user’s  guide.  The  GT  block  also  outputs  a  1  if  all  three  U4  units  fail. 
This  causes  all  three  U4  units  to  reset. 

To  run  the  simulation,  a  mission  time  of  200  hours  was  used  because  reliability  at  200 
hours  is  desired. 

The  resulting  system  reliability  is  0.8778  which  is  obtained  from  block  GT-7.  Also,  the 
MBTCF  of  the  system  is  1590  hours.  The  results  also  show  that  the  number  of  total  critical 
failures  in  all  10,000  missions  was  1257  and  that  the  number  of  preventative  maintenance 
repairs  for  one  U4  subsystem  is  about  6684.  This  shows  that  preventative  maintenance 
greatly  increases  the  system  reliability  and  MTBCF. 

Note  that  in  this  example,  the  MTBCF  is  computed  using  a  short  run  equal  to  the  mission 
length.  This  is  possible  because  the  system  is  reset  every  100  hours.  As  long  as  the  mission 
time  is  a  multiple  of  100  hours,  this  approach  is  valid. 

In  contrast,  the  other  examples  require  a  long  simulation  to  compute  MTBCF  values.  This 
is  because  the  critical  failure  rate  is  time  dependent  due  to  the  changes  in  the  system.  In 
example  6,  as  more  individual  primitives  fail,  the  critical  failure  rate  increases.  Thus  the 
critical  failure  rate  at  t  =  0  is  lower  than  the  critical  failure  rate  at  t  =  720  hours  because 
the  system  is  likely  to  have  some  failed  subunits  at  t  =  720  hours.  If  the  approach  used  in 
example  4  were  used  in  example  6,  a  longer  (and  wrong)  MTBCF  would  be  obtained. 
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Example  5:  Active  Redundancy  (with  Imperfect  Diagnostics  and  Switching),  upon  the 
occurrence'  of  a  failure,  the  faulty  unit  is  switched  off.  Repair  Philosophy  -  Assume  that 
manual  corrective  repair  is  deferred  until  n  critical  failure  occurs. 


R  -  Recovery/switching  Unit 
D  -  Diagnostics  Unit 
P  -  Prime  Unit 


1  out  of  2  units  required  for 

i 

mission  success 

Assumptions: 

•  Recovery  unit  failure  does  not,  immediately  cause  system  failure  but,  next  prime 
failure  after  a  recovery  unit  failure  will  cause  system  failure. 

•  Failure  to  switch  off  a  failed  unit  will  cause  a  system  failure. 

•  Diagnostics  unit  failure  does  not,  immediately  cause  system  failure  then  a  system 
failure  will  occur  (because  the  failed  unit  will  not  be  able  to  be  switched  off). 

•  Undetected  prime  unit  failure  causes  system  failure. 

•  Diagnostics  units  are  inactivated  when  the  associated  prime  unit  is  switched  off. 

Afl  =  .0002  failures/ hr 
Ap  =  .0002  failures/hr 
Ap  =  .001  fail  u  res/ hr 

Fraction  of  Faults  Detectable  (FFD)  1.00 
Compute: 

I.  MTB(T 
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2.  Reliability  at  time  t  lUUtl  hr 
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Example  5 

Example  5-FASTER  Diagram. 

The  following  figures  show  a  FASTER  diagram  for  example  5.  The  diagnositics  unit 
detects  all  failures  when  there  is  no  failure  of  the  diagnostics  unit.  The  primary  unit  has 
four  modes.  The  diagram  for  the  primary  unit  (PUNIT)  shows  these  modes.  Under  each 
mode  are  three  parameter  blocks  which  drive  the  outputs  of  PUNIT  with  the  indicated 
value.  The  failure  detect  line  (D)  becomes  a  “2”  just  after  a  failure.  If  the  PUNIT  is 
switched  off  (mode  4)  by  driving  C4  with  a  “4”,  then  a  unit  failure  occurs.  However,  if 
the  unit  is  not  switched  of  (before  T=.00l),  then  a  system  failure  occurs  (mode  3).  By 
using  “ANDS”  and  “OR”  (see  top  level  example  5  diagram),  a  critical  failure  is  defined  as 
1)  both  units  fail  or  2)  at  least  one  unit  fails  and  is  not  switched  off. 

The  primitive  DUNIT  detects  failures  and  causes  the  R  block  to  switch  off  the  PUNIT.  If 
DUNIT  fails,  then  it  will  not  detect  the  failure.  Also  if  the  R  unit  fails,  switching  will  not 
occur.  The  block  GT  was  shown  in  previous  examples.  GT  is  a  timer  which  keeps  track 
of  which  mode  the  system  is  in. 

If  imperfect  failure  detection  occurs  (FFD  =  0.9  for  example)  then  the  PUNIT  block  could 
be  modified  so  that  10%  of  the  time  the  "2”  on  output  number  3  is  set  to  “1”.  A  “PROB” 
subprimitive  could  be  used  to  do  this. 

Example  5  Results: 

Three  runs  were  made  for  example  5.  The  first  run  was  set  up  to  obtain  reliability  for  a 
1000  hour  mission.  Repair  was  disabled  so  that  the  number  fo  critical  failures  in  10,000 
missions  could  be  obtained.  The  number  of  mode  2  to  mode  1  transitions  gives  this  number 
(4746).  The  overall  system  reliability  is  then  given  by  (10,000  -  4746)/10,000  =  0  525. 

A  second  run  (with  repair  disabled)  was  conducted  to  obtain  MBTCF.  A  long  mission  was 
specified  to  insure  that  a  critical  failure  occurs  for  each  run.  The  MBTCF  is  then  given 
by  the  average  time  the  block  GT-12  stays  in  mode  2  (1340  hours). 

A  third  run  was  made  to  obtain  the  MBTCF  for  an  ultra  reliable  recovery  unit.  The  failure 
rate  of  the  R  unit  was  changed  from  0.2  X  10~8.  The  resulting  system  MBTCF  is  1410 
hours. 
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fall 


Run  1 

Run  1  was  done  to  obtain  the  system  reliability.  A  1,000  hour  mission  was  selected. 


52 


SIMULATION  tCSULTS 
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Run  2 

Run  2  obtains  the  system  MBTCF.  A  long  mission  (100,000  hours)  was  specified. 
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SIMULATION  RESULTS 
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Run  J 


Run  3  was  a  modified  system  which  had  a  highly  reliable  “R”  unit.  The  resulting  MBTCF 
was  higher  because  there  were  less  system  failures  caused  by  the  failure  to  switch  out 
detected  failures. 
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Example  6 


This  system  shows  an  example  of  multiple  failure  rates  in  series/parallel  systems.  For  the 
system  to  operate,  the  A  unit  must  he  up,  the  R-Group  must  be  up  (1  out  of  3)  and  either 
the  C-Group  or  the  D-Omup  must  be  up. 

Figure  6-1  shows  the  top  level  diagram  for  this  system.  The  blocks  A,  B,  C,  and  D  represent 
the  system  components  and  the  detailed  diagrams  are  shown  in  figures  6-2  through  6-4. 
Each  component  has  a.  repair  trigger  which  is  reset  by  the  RP  block,  the  RP  block  is 
triggered  by  block  (IT- 12. 

The  B-Group  (see  figure  6-3)  is  model.  <1  using  several  modes  which  define  which  B  subunit 
fails. 

The  G1  and  D  groups  are  modeled  m  a  similar  fashion.  However,  the  model  is  simpler 
because  all  subunits  have  the  same  failure  rate.  If  all  subunits  have  the  same  failure  rate, 
the  details  of  which  subunit  fails  may  not.  be  required.  Since  a  critical  failure  occurs  after 
the  fourth  failure  and  the  block  will  be  repaired,  the  nodes  with  1  or  2  subunits  up  are  not 
modeled. 

The  simulation  in  figure  6-1  was  run  for  I  (Ml, DIM)  missions  with  720  hours/  mission  to  com¬ 
pute  the  reliability.  To  compute  the  M  RT(  T’.  a  long  run  (100,000  hours)  was  conducted. 

The  reliability  after  720  hours  is  obtained  from  (JT  12.  A  value  of  0.9518  is  obtained.  The 
MTBCF  from  the  1011,1101)  hour  run  was  060(1  hours. 

Other  repair  methods  can  be  sumdni.  d  by  modification  of  the  top  level  diagram.  For 
example,  repair  of  each  group  enn  b<  earn'  d  .ait  .  .nlv  when  the  group  fails.  This  could  be 
done  using  an  RP  block  for  each  gi"iip  (A.  M,  ('  •  *r  I)).  In  this  case  the  RP  block  would 
be  driven  by  a  GT  block  which  itself  is  driven  by  the  group  output. 
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Figure 
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fail".  Node  "fail"  output  is  1.0. 


X  “  50  E-6  for  C  unit 
X  “  60  E-6  for  D  unit 

Figure  6-4 
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Example  7:  A  More  ('omplex  System  (Multiple  Mission  Phases)  All  Active  Redun¬ 
dancy  Repair  Philosophy  Assume  that  corrective  repair  is  deferred  until  a  critical 

failure  occurs. 
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Phase  1  (T  =  lOHr) 

Aa1  =  \A2  =  ...  Ayis  =  100  failures/ 10®  Hr 
Asi  =  AB2  =  ...  Ab6  =  50  failures/106  Or 
AC1  =  AC2  =  •••  AC2i  =  75  failures/106  Hr 
Phase  2  (T  =  5  Hr) 

Ayn  =  Ayt2  =  •••  Ayi5  =  200  failures/ 106  Hr 
Abi  =  Ab2  =  •••  Abs  =  25  failures/106  Hr 
Act  =  Ac2  =  •••  A (72i  =  50  failures/ !06  Hr 
Phase  3  (T  =  2  Hr) 

Ay»  =  A^2  =  •  Ayts  =  75  failures/  10s  Hr 
Abi  =  Ab2  =  •••  Abs  =  75  failures/106  Hr 
Aci  =  A C2  =  ...  A (721  =  25  failures/ 106  Hr 
Reliability  at  each  Phase  (T  =  10,  15,  17) 
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Example  7 

The  overall  system  is  composed  of  three  types  of  subunits  (called  A,  B  and  C)  which  are 
in  series  and  parallel  configurations.  Each  subunit  has  a  mission  time  dependent  failure 
rate.  The  overall  system  operation  requires  the  following: 

A-Group  (one  out  of  five  A  units  must  be  up) 

B-Group  (five  out  of  six  B  units  must  be  up) 

C-Group  (one  out  of  three  C  subgroups  must,  be  up) 

By  inspection  of  the  system  diagrams,  the  greatest  contribution  to  system  failure  is  the  B- 
Group.  This  is  because  system  failure  occurs  after  only  two  B  unit  failures.  In  constrast, 
it  takes  five  A  unit  failures  for  system  failure  to  occur.  The  C-Group  is  more  complex 
because  of  the  series  and  parallel  nature.  However,  since  all  three  C-subgroups  must  fail  to 
cause  system  failure,  the  C-group  is  expected  to  have  a  small  contribution  to  the  system 
failure  rate. 

The  FASTER  diagram  for  the  system  is  shown  in  four  figures  due  to  the  large  number 
of  blocks  required.  The  first  two  diagrams  7-1  and  7-2  show  the  A-Group,  B-Group  and 
C-Group  in  detail.  Figure  7-3  shows  the  structure  of  the  A,  B  and  C  primitives  which  have 
mission  dependent  failure  rates.  For  the  A  and  B  groups  each  unit  outputs  a  zero  (0)  if 
it  is  up  and  a  one  (1)  if  it  fails.  All  outputs  are  added  together  and  a  threshold  primitive 
changes  mode  when  a  certain  number  of  failures  occur.  The  (  '  units  output  a  two  (2)  when 
they  are  up  and  a  one  (1)  when  they  fail.  A  combination  of  ANDS  and  ORS  are  used  to 
define  C  group  operation.  Figure  7-4  shows  the  overall  system  diagram.  For  the  system  to 
be  operational,  all  three  groups  (A,  B  and  (')  must  be  operational.  Timer  blocks  (GT)  are 
used  to  keep  track  of  system  operation.  The  TBS  and  TBSA  blocks  are  threshold  blocks 
which  output  a  fail  value  (1)  when  the  number  of  failures  (which  is  an  input)  exceeds  a 
threshold  value.  For  this  example,  the  threshold  value  for  TRS  is  4.5  (which  outputs  a 
“1”  after  five  failures)  and  the  threshold  for  TRSA  is  1.5  (which  outputs  a  “1”  after  two 
failures). 

Example  7  shows  a  case  where  a  unique  well  defined  value  for  MTBCF  does  not  exist.  This 
is  because  of  the  time  dependence  of  the  critical  failure  rate  (see  example  4  comment)  and 
the  mission  dependent  subunit  failure  rate.  As  discussed  in  example  4,  a  time  dependent 
failure  rate  requires  a  long  mission  time.  However,  the  failure  rates  for  the  primitive 
subunits  are  not  defined  beyond  17  hours  Only  if  assumptions  about  the  failure  rates 
beyond  17  hours  are  made  can  an  MTBOF  be  computed  using  a  long  mission.  For  this 
reason,  MTBCF  values  are  not  obtained  for  example  7. 

Results  for  a  17  hour  mission  are  obtained  using  1 1)11. mill  runs.  Inspection  of  these  residts 
show  that  the  number  of  individual  unit  failures  com  parr'  with  results  which  ran  be  ob- 
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tained  by  a  simple  calculation.  I* or  example,  in  phase  one  (10  hours)  with  100,000  runs 
the  total  time  is  1,000,00(1  hums.  Tin-  '-xprcted  total  numbers  of  failures  are:  100  for  A 
units,  50  for  B  units,  and  75  for  (-  units.  The  FASTER  output  predicts  these  values  as 
the  number  of  transitions  from  mode  I  to  mode  1  for  AU,  BU  and  CU.  Within  statistics, 
these  values  agree  with  expected  results. 

The  FASTER  output  shows  that  only  one  critical  failure  occurs  in  100,000  missions.  This 
failure  was  due  to  failure  of  the  B  Group  The  other  groups  contribute  to  the  failure  rate 
but  their  contribution  is  much  less. 

A  much  greater  number  of  runs  is  needed  fo  obtain  good  statistics.  Due  to  the  complexity 
of  the  FASTER  diagram  and  the  amount  of  computer  time  needed,  this  was  not  done. 
Instead,  a  simplified  diagram  c«ml  .lining  •  ml  v  I  lie  H-Group  was  run. 

To  demonstrate  that  the  \  and  (’  gionps  do  not  make  a  significant  contribution  to  the 
system  failure,  a  set  of  1 0,1  )lll)  runs  each  ■  .f  .'{.III  Ml  hours  was  run.  This  insures  that  multiple 
failures  occur.  The  blocks  (,!T -(>5.  (IT  <>•»  and  (IT  57  give  the  numbers  of  system  failures 
caused  by  A-Gronp  (21)  B-(  Iroup  (2107)  and  (!-( Iroup  (0).  As  the  run  time  is  decreased 
to  17  hours,  the  contributions  of  ('  and  A  become  even  smaller  when  compared  to  B. 

The  FASTER  results  for  B  Group  evaluation  show  that  for  a  17  hour  mission,  there  were 
only  7  failures  in  500,0(11)  missions.  This  gives  a  reliability  of  0.999986.  Even  higher 
reliability  values  are  obtained  for  10  and  15  hour  missions. 

An  estimate  of  the  B  Group  failure  rale  can  he  made  using  the  binomial  distribution. 
Assuming  a  20  hour  mission  and  a  failure  tale  of  50  X  10~6  per  hour,  the  probability  of  a 
B  vinit  failure  during  the  mission  is  Id  !  With  dx  (6)  B  units,  the  binomial  distribution 
gives  the  following: 

P  (1)  =  6  x  10"3 
P  (2)  -■  15  x  10  * 

P  (3)  =  20  x  1(1  4 
P  (4)  =  15  x  Kb  12 
P  (5)  -  6  x  10  1S 
P  (6)  =  1  x  10-,p 

The  FASTER  output  for  the  17  hour  mission  shows  a  total  number  of  B  unit  failures  of 
2400  which  gives  a  probability  of  failure  of  4.8  x  10  3.  Since  only  7  system  failures  occur, 
(two  or  more  B  units  fail),  the  failure  probability  is  14  x  10-6.  These  values  are  similar  to 
the  estimated  values. 
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Example 


Figure  7-4 


SIMULATION  RESULTS 
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Electronic  Systems  Group 

P0  Box  746  MS 5 3 80 

Baltimore  MD  21203-0746 

Westinghouse  Electric  Corporation  1 

ATTN:  Richard  C.  Banta 
1111  Schilling  Road/  MS7062 
Hunt  Valley  M0  21030 


Evans  Associates  1 

804  Vickers  Avenue 
Durham  NC  27701-3143 


3oeing  Electronics  Company  1 

ATTN:  r.e.  Tidbal 
P0  Box  3999/  MS3A-83 
Seattle/  VA  98124-2207 


Sandia  Laboratories  1 

ATTN:  5.C.  Novoyny 
0  J  v i s i on  7222 
Albuquerque  NM  87115 


Eagle  Technology  Inc.  1 

Attn:  Mr.  William  Skevis 
2300  South  9th  Street 
Arlington  VA  22204-2301 


DL-6 


1 


McDonnell  Douglas  Astronautics  Co. 
ATTN;  Dr.  Hale 

PD  Box  516/  E464/HD/3N/1 0D32G? 

St  Louis  MO  63166-0516 


ITT  Avionics  Division  1 

ATTN:  c.  Ehrenfried 

100  Kingstand  Road/Dept  73401 

Clifton  NJ  07014-1915 


Motorola/  Inc.  1 

Attn:Mr.  Allan  Scholin 
3501  Ed  aluestein  Blvd 
Austin/  TX  78721 


Honeywell  Inc.  1 

Attn:  Avionics  Library 

1625  Zarthan  Ave  S./  MN  15-2312 

St.  Louis  Park/  MN  55416-1499 


Honeywell  Avionics  Division  1 

Mail  Station  229-1 
13350  US  Highway  19  S 
Clearwater  FL  33546-7920 


Logical  Technical  Services  Corp.  1 

ATTN:  Richard  Meyers 

Federal  Systems  Division 

675  Prospect  Street 

Trenton  NJ  08618-3108 

General  Dynamics  Fort  Worth  Div.  1 

ATTN:  Gary  Clark 
PD  9ox  748/  MZ  4052 
Fort  Worth/  TX  76101-0748 


General  Dynamics  Fort  Worth  Div.  1 

ATTN:  Mr.  N.  Butler 
P0  Box  748/  MZ  2281 
Fort  Worth/  TX  76101-0748 


Boeing  Commercial  Airplane  Co.  1 

MS  74-60 

Renton  Technical  Library 
PD  Box  3707 

Seattle/  WA  981  24-2207 

Boeing  Aerospace  Co.  1 

ATTN:  David  Wilson 
P0  Box  3999/  MS  2E“12 
Seattle/  WA  98124-2499 


DL-7 


1 


Mitre  Corn. 

ATTN:  R*  Ellis 

Burlington  Road*  Stop  H-130 

Bedford  MA  01730-0208 


Logistics  Management  Institute  1 

ATTN:  Mr.  Frans  Nauta 
6400  Goldsboro  Road 
8ethesda,  HD  20817-5886 


TRW  1 

ATTN:  J.  Lee 

1  Rancho  Caraell,  MSRC7/1406 
San  Di ego*  CA  92128-3499 


General  Electric  Co.  1 

ATTN:  Lori  Scoones 

901  Broad  St.,  MD  70-20 

Utica,  NY  13501-1501 


Texas  Instrument  Inc.  1 

ATTN:  3ruce  Roever 

5825  Mark  Dabling  Slvd.,  MS  3703 

Colorada  Springs,  CO  80919-2210 


Raytheon  Equipment  Development  Labs  1 

ATTN:  Mr.  A very  Hevesh 

528  Boston  Post  Rd./  MS-5-1-669 

Sudbury,  MA  01776 


Aerospace  Corp.  1 

ATTN:  R.  Li 

P 0  Box  92957,  MS  M5/591 
Los  Angeles,  CA  90009-2957 


Aerospace  Corp.  1 

ATTN:  <• G.  Holden 
PD  Box  92957,  M4-996 
Los  Angeles,  CA  90009-2957 


jimPeid  1 

1 7  Whaling  Drive 
Waterford,  CT  06385 


AT5T  Bell  Labs  1 

ATTN:  N.  Robbins 
Room  14C  355 
Whiopany,  NJ  07981 


DL-8 


Lockheed-Georgi a  Co. 

ATTN:  R.  Lee  Madison 
MS  0/72-49  Z-419 
747  Sharp  Mtn.  Crk. 

Marrieta/  GA  30067 

Lockheed  Space  Operations  Co. 
Attn:  Robert  Chase 
Dept.  51-22/  MC-LS  0-291 
PO  Box  2686 
T i tusvi lie  FL  32780 

Sutron  Corp. 

ATTN:  Oel  Uthman 
2190  Fox  Mill  Rd. 

Herndon  VA  22071 


McDonnell  Douglas  Missile  Sys  Co. 
ATTN:  Mr.  A.  Sasaki 
Dept  £-261/  Mai Ic  ode  1063663 
P0  Box  516 

Saint  Louis  M0  63166 
TRW 

ATTN:  Sam  Goggin 
293  Highway  247  S 
Warner  Roboins  GA  31033 


Signetics  Coro. 

Attn:  Dick  Lambert 
4130  South  Market  Court 
Sacramento/  CA  95S34 


Florida  Institute  of  Technology 
ATTN:  Professor  G.  F.  Goldberg 
Dept,  of  Management 
150  University  9lvd. 

Melbourne#  FL  32901 

Florida  Institute  of  Technology 
Attn:  Professor  Leonard  R.  Doyon 
440  Hawthorne  Court 
Indian  Harbor  Beach  FL  32937 


Florida  Institute  of  Technology 
Attn:  Professor  Frederick  Buoni 
Dept,  of  Mathematics 
150  W.  University  Btvd 
Melbourne  FL  32901-6988 

Sperry  Corp. 

ATTN:  Eldon  Goulden 
4012  Calle  Pino/  NE 
Albuquerque  NM  87119-9200 


Hughes  Aircraft  Co. 

ATTN:  A.  Samuels 
PO  Box  902 #  El  US  B105 
El  Segundo  CA  90245-0902 


Support  Systems  Associates#  Inc. 
ATTN:  Bill  Foreman 
2465  N.  Main  Street/Suite  13 
Sunset#  UT  84015 


Martin  Harrietts 
10456  W.  Fremont  PI 
Littleton  CO  80127 


Grumman  Aircraft  Systems 
ATTN:  Kenneth  A.  Haller 
ns  B08-14 

Bethpage#  NY  11714 


Texas  Instruments/DSEG 
ATTN:  0.  Hoffman 
P0  Box  869305#  MS  8506 
Plano  TX  75086 


Les  Corby 
709  33rd  St. 

Manhattan#  Beach  CA  90266 


Boeing  Electronics  Co. 
Attn:  Fat  ma  Oliver 
P0  Box  3707#  MS-9J-26 
Seattle  WA  98124 


Florida  Institute  of  Technology 
Attn:  Prof.  John  Hadjilogiou 
Dept,  of  Electrical  &  Computer  Eng 
150  West  University  3lvd. 

Melbourne  FL  32901-6988 

Institute  of  Defense  Analyses 
ATTN:  Dr.  Robert  M.  Rolfe 
1501  N  Beauregard  St.  (Skyline) 
Alexandria  VA  22311-17 72 


Boeing  Military  Airplanes 
AFPRO/Det  34/MS  1520 
ATTN:  John  Cheng 
3801  South  Oliver  Street 
Wichita  K  3  67210 


DL-10 


Hughes  Aircraft  Co. 

ATTN:  Mr.  T.  Pliska 
3ldg  613  MS  W303 
PO  Sox  3310 

Fullerton  CA  92634-3310 

tfestinghouse  Electric  Coro- 
ATTN:  Or.  A.  Kahn 
System  Development  Division 
PO  Box  746*  MS  5380 
Baltimore  MD  21203-0746 

ISM  Corporation 
ATTN :  R.L.  Lei se 
0306 

Owego  NY  13327 


Reliability  Training  Institute 
ATTN:  Or.  T.L.  Regulinski 
P0  Sox  31113 
Tuscon  AZ  35751-9998 


west i nghouse  Oef  5  Elec  Sys  Ct 
ATTN:  8.  A.  Bang 
Fr iendshi p  Site 
P0  Box  1521  MS  3607 
Baltimore  MD  21205-1521 

Lockheed  Missiles  5  SoaceCo. 
ATTN:  L.E.  0  o  v 
Dept  0/62-91*  Bldg  564 
PO  Box  3504 

Sunnyvale  CA  94088-3504 

Boeing  Aerospace  Co. 

ATTN:  J.M.  Barker 
PD  Box  3999*  MS  2K-66 
Seattle  UA  98124-2499 


TESTCOM  Corp. 

ATTN:  D.3.  Ibbett 

625  S.  Euclid*  Suite  10 

Anaheim  CA  92802-1246 


Noyes  Data  Corp. 

ATTN:  Janet  Paul 
Mill  Road  8  6rand  Ave 
Park  Ridge  NJ  07656-1295 


Lockheed 

ATTN:  F.  Harrison 

6300  Burleson  Road*  B-320*  TO-56 

Austin  TX  73744-1018 


1 


Harris  Corp.  GASO 
ATTN:  C.  Jensen 
PO  Box  9400*  PR  59-1/6551 
Melbourne  FL  32902 


General  Electric  Co.  1 

*TTN:  Earl  Van  Scooter 
901  Broad  Street*  MO  702 
Utica  NT  13501-1501 


3oeing  Aerospace  Company  1 

ATTN:  L.  Hopkins 
P0  Box  3999*  MS  8A-83 
Seattle  HA  98124-2499 


Honeywell  Inc.*  DASD  1 

Rel  Engr  Dept  1586 
9201  San  Mateo  Blvd  NE 
Albuquerque  NM  87113-2227 


The  MITRE  Corporation*  MS  H114  1 

ATTN:  T.  Roome 
Bedford  MA  01730 


UNISYS  Corporation  1 

Defense  Systems*  MS  1A18 
ATTN:  E.U.  Edwards 
Great  Neck  NY  11020 


D  A  IN  A  Corp.  1 

ATTN:  J.  Pukite 

4111  Central  Ave.  NE*  Suite  212 
Columbia  Heights  MN  55421 


AT&T  Bell  Labs*  Inc.  1 

ATTN:  A.  Stolpen 

Room  2A-1 59 

Whippany  Road 

Whiopany  NJ  07981 

AD/ENP  1 

ATTN:  Or.  Jasper  Glover 
Eglin  AFB  FL  32542-5000 


AF/LE-R  1 

Washington  DC  20330-5130 


DL-12 


AFALC/ESR 

ATTN:  Clyde  Allison 
Wright-Patterson  4  F  3  OH  45433-5001 


AFHRL/LRL  A 

ATTN:  Russell  M.  Genet 

Hr i g h t-Pa t t er son  AFB  OH  45433-6573 


AFISC/SESD 

ATTN:  Capt.  3.  3onnett 
Norton  AF3  CA  92409-7001 


AF IT/LS9 

ATTN:  Professor  Virgil  0 -  Rehg 
Wr  i g h t -P a 1 1 e r son  AFQ  OH  45433-6583 


AFLC  LOC/CFWD 

Wr i g h t-Pa t t e r son  AF3  OH  45433-5001 


A  F  SC /PL 

ATTN:  Michael  Zsak 
Andrews  AF3  DC  20334-5000 


AFSC/PLL 

Andrews  A  F  3  DC  20334-5000 


AFSC/PL 

ATTN:  Edmund  Westcott 
Andrews  AF8  DC  20334-5000 


AFSC/XT 

ATTN:  Capt.  Wienk 
Andrews  AFB  DC  20334-5000 


AF0TEC/LG4R 

ATTN:  Mr.  Chamblee 

K  i  rt land  AFB  NM  87117-7001 


WR  DC/ F IEE 

ATTN:  Alan  Burkhard 
Wright-Patterson  AFB  OH  45433-6553 


1 


AFWAL/XRX A 
ATTN:  Robert  Ream 

Wright-Patterson  AF8  OH  45433-6523 


AGHC/MLS 

Neva  rk  A F S  OH  43057-5475 


AFWAL/AAAS 

ATTN:  George  Konomos 
Wright-Patterson  AFB  OH  45433-6523 


ASD/AEGA 

ATTN:  Herb  Kiesel 

Wright-Patterson  AFB  OH  45433-6503 


ASO/ AXA 

Wright-Patterson  AFB  OH  45433-6503 


ASD/ AXAE 

ATTN:  Nr.  N.R.  Vivians 
Wright-Patterson  AFB  OH  45433-6503 


4SD/EN 

ATTN:  Grover  Cleveland 
Wright-Patterson  AFB  OH  45433-6503 


ASO/ ENEGT 

Wright-Patterson  AFB  OH  45433-6503 


AS0/EN3II 
ATTN:  Jon  Hiles 

Wright-Patterson  AFB  OH  45433-6503 


DL-14 


ASD/RAO 

ATTN:  T.  Kindle 

Jr i g h t *’a t t er son  AF3  OH  45433-6503 


3M0/ AMR 

ATTN:  M  a  j  o  r  Gary  Jungwirth 
Norton  A  F  9  CA  92409-6465 


3*10/ ALN 

Norton  AF3  CA  92409-6465 


Defense  Product  Standards  Office  1 

ATTN:  John  Wyatt 

5203  Leesburg  Pike*  Suite  1403 

Falls  Church  V A  22041-3466 


00D  PESO  C/0  DL A 
ATTN:  Zabielski 
Cameron  Station 
Alexandria  VA  22314 


ESD/FASE 

ATTN:  E.  Sarkisian 

Hans  con  A  F  3  MA  01731-5000 


ESD/FAU  1 

ATTN:  George  Oko 

Hanscom  A F 3  MA  01731-5000 


ESD/0C3E  1 

ATTN:  Thomas  Sheridan 
Hanscom  AF3  MA  01731-5000 


ESD/OCS* 

ATTN:  0.  DiMarca 
Hanscom  AF9  MA  01731-5000 


ESD/SCS-1EA  1 

ATTN:  Helen  Baker 
Hanscom  AF3  MA  01731-5000 


DL-15 


ESD/TCJE 

ATTN:  G.  Harn 

Hanscos  A FB  HA  01731-5000 


1 


ESD/TCS-2A 

ATTN:  David  Kenyon 

Hanscoa  A  FB  HA  01731-5000 


ESD/TCVS 

ATTN:  R.  Neil  Hansen 
Hanscoa  A F 3  HA  01731-5000 


ESD/PL 

Hanscoa  AFB  HA  01731-5000 


National  Institute  of  Stds  & 
ATTN:  Hr.  Robert  E.  Nelson 
Div.  724.00 
325  Broadway 
Boulder  CO  80303 

Naval  Air  Engineering  Center 
ATTN:  Jerry  L.  Kunert 
Code  09R 

Lakehurst  NJ  08733-5100 


Naval  Air  Systems  Command 
ATTN:  Merlin  P.  Walters 
Air  51652 

Washington  DC  20361-5110 


Naval  Avionics  Center 
D/410 

6000  East  21st  Street 
Indianapolis  IN  46219-218° 


Naval  Coastal  Systems  Center 
Code  3250 
Panama  FL  32407 


Naval  Sea  Systems  Command 
ATTN:  William  Shapleigh 
Code  SEA  004 

Washington  DC  20362-5101 


1 


1 


1 


Tech  1 


1 


1 


1 


1 


1 


DL-16 


Naval  Ocean  Systems  Center 
Attn:  Mel  Nunn 
Code  936 

San  Diego  CA  92152-5000 


Naval  Post  Graduate  School 
ATTN:  Professor  M.  9.  Kline 
Code  54K X 
Monterey  CA  93943 


Naval  Research  Laboratory 
ATTN:  Dr.  Harry  Ascher 
Code  1206 

Washington  DC  20375-5000 


Naval  Ship  Weapons  Engineering 
Attn:  Bill  Flothmeier 
Code  4713 
Bldg  1153 

Port  Hueneme  CA  93043-5007 

Naval  Surface  Weapons  Center 
ATTN:  William  L.  Keiner 
Code  E302 

Dahlgren  VA  22448-5000 


Naval  Training  Equipment  Center 
Attn:  George  Campbell 
Code  N411 

Orlando  FL  32813-7100 


Naval  Underwater  Systems  Center 
ATTN:  R.  A.  Pikul 
Code  434 

Newport  RI  02841-5047 


Naval  Underwater  Systems  Center 
ATTN:  William  Crimmins 
Newport  RI  02841-5047 


Naval  Underwater  Systems  Center 
ATTN:  James  Souza 
Code  3654 
Bldg.  148 

Newport  RI  02841-5047 
0 C-ALC/MME 

Tinker  AF 8  OK  73145-5979 


1 


1 


1 


St  a  .  1 


1 


1 


1 


1 


1 


1 


DL-17 


OOHM.C/HHEAR  1 

Hitt  AF8  UT  84056-5990 


0A$D(P8L)PS/SDM  1 

A1TN:  Peter  Yurcisin 
R  3  o*  2A318 
Pentagon 

Washington/  DC  20301-8000 

OUSD  R&E  1 

Director  of  Elect  8  PHys.  Sci. 

Pentagon/  Rooa  3D1079 
Washington  DC  20301 


RADC/CO  1 

Griffiss  AFB  NY  13441-5700 


RADC/DC  1 

Griffis*  AFB  NY  13441-5700 


RADC/EE  1 

Hanscom  AFB  M A  01731-5000 


RADC/ES  1 

Hanscom  AFB  MA  01731-5000 


RADC/IR  1 

Griffiss  AFB  NY  13441-5700 


RADC/OC  1 

Griffiss  AFB  NY  13441-5700 


SA-ALC/NMEA  1 

Kelly  AFB  TX  78241-5990 


DL-18 


SA'ALC/MMTMA 

ATTN:  Joseph  Johnson 

Kelly  Af 3  TX  73241-5990 


SA-ALC/MMIRAP 

ATTN:  Paul  Peed 

Kelly  A F 3  TX  73241-5990 


SD/ALTR 

ATTN:  Mr.  Leese 
Worldway  Postal  Center 
P0  3ox  92960 

Los  Angeles  CA  90009-2960 
SM-ALC/MME 

McClellan  A F 9  CA  95652-5990 


US  Army  Aviation  Systems  Command 

ATTN:  Mr.  Payne 

AMSAB-3R 

4300  Goodfellow  9lvd. 

St.  Louis  MO  63120-1798 

US  Army  Comm-Elect  Cmd. 

ATTN:  R.  Jupinka 
DRSEL-PA-RJ 

Fort  Monmouth  NJ  07703-5000 


US  Army  Comm-Elect  Cmd. 
ATTN:  Hoffman 
DRSEL-PA-M 

Fort  Monmouth  NJ  07703-5000 


US  Army  LABC0M  ET&D  Laboratory 
ATTN:  Dr.  C.G.  Thornton 
SLCET-D 

Fort  Monmouth  NJ  07703-5302 


US  Army  Logistics  Evaluation  Agency 

Attn:  Daveau 

DAL0-LEI 

New  Cumberland  Army  Depot 
New  Cumberland  PA  17070-5001 

US  Army  Logistics  Management  Ct. 
Attn:  Mr.  Samoson 

Def.  Logistics  Studies  Info.  Exch. 
Fort  Lee#  VA  23801-6043 


1 


Belvoir#  Research  ft  Developaient  Ct. 

ATTN:  Mr.  Rabon 

DRDME-TQ 

Fort  Belvoir  VA  22060-5606 


US  A  ray  RftT  Laboratories  (AVRADCOM)  1 

ATTN:  Mr.  Poteate 

OAVOL-ATL-ASR 

Applied  Technology  Laboratory 
Fort  Eustis  VA  23604-5577 

VR-ALC/MME  1 

Robins  AF8  6A  31098-5609 


WR-ALC/MMIR  1 

Robins  AFB  GA  31098-5609 


WR-ALC/MMRR  1 

Robins  AFB  SA  31098-5609 


National  Security  Agency  1 

Attn:  Mr.  W.W.  Vinson 
Rl  51 

9800  Savage  Road 

Fort  Meade  MO  20755-6000 

AFALC/PTEC  1 

ATTN:  Capt.  Steve  Burke 
Wright-Patterson  AF8  OH  45433-5001 


National  Security  Agency  1 

Attn:  Frederick  W.  Pankov 
T  2 1 1  3 

Fort  George  G.  Meade  Mb  20755-6000 


Naval  Warfare  Assessment  Center  2 

ATTN:  R.  Monroe 
Code  3143 

Test  Technology  Information  Center 
Corona/  CA  91720-5000 

Naval  Warfare  Assessment  Center  2 

ATTN:  M.  Kaufman 
Code  3143 

Test  Technology  Information  Center 
Corona/  CA  91720-5000 


DL-20 


1 


NASA/MSFC 

ATTN:  Felminio  Villella 
Dept.  E 3  13/Bldg.  4487 
Huntsville  AL  35812 


OC-ALC/MMEA  1 

Tinker  A f 8  OK  731  45-5979 


OC-ALC/MMIR  1 

Tinker  A  F  B  OK  731  45-5980 


US  Army  Comm-Elect  Cml.  1 

Attn:  J.  Argios 

DRCPM-TMDS-L 

Fort  Monmouth  NJ  07703-5000 


SM-ALC/MAITC  1 

ATTN:  C.  Wayne  McNally 
McClellan  AFB  CA  95652-5990 


ASD/AFES  1 

ATTN:  James  L.  Koenig 

Wr i ght-Patterson  AFB  OH  45433-6503 


AFIT/LSQ  1 

ATTN:  Capt  Clinton  Cambell 

Wri ght-Patterson  AFB  OH  45433-6583 


OSAF/ALG  1 

ATTN:  Mr.  Oscar  Goldfarb 
Washington  DC  20330-1000 


ASD/AE6E  1 

ATTN:  J.  Stout 

Wri ght-Patterson  AFB  OH  45433-6503 


F  A  A  1 

Attn:  Mr.  Robert  Hodge 
APM  610 

800  Independence  Ave. 

Washington/  DC  20591 


DL-21 


FAA  Technical  Center 
Attn:  Nickolus  0.  Rasch 
ACT-340 

Atlantic  City  Airports  NJ  08405 


National  Security  Agency 
ATTN:  John  Chriest 
Y211 

Fort  George  6.  Header  HD  20755-6000 


AS  0/ AF£S 

ATTN:  Hr*  Dean  Edgeaon 
Uright-Patterson  AF8  OH  45433-6503 


OASD  (HI&L)  nartin  A.  Meth 
Pentagon#  Room  2B322 
Washington  DC  20301 


US  Army  Hgt  Eng*  Training  Act. 
ATTN:  Hr  Jerold  Nelson 
AHX0M-Q A 

Rock  Island#  IL  61299-7040 


US  Army  Hgt  Eng.  Training  Act* 
ATTN:  Hr.  Raymond  Loecke 
AHXOH-QA 

Rock  Island#  IL  61299-7040 


Naval  Warfare  Assessment  Center 
ATTN:  Hr*  Allan  Burkholder 
MC  3432 

Corona#  CA  91720-5000 


H3  A  FLC  L0C7TL 

ATTN:  Col  Fredric  Abrams 

Wr ight-Patterson  AFB  OH  45433-5001 


WR-ALC/MHRRAH 
Robert  Gault 

Robins  AF9#  GA  31093-5609 


WR-ALC/HA ITA3 
ATTN:  Jerry  Johnson 
Robins  AF 3#  GA  31098-5149 


Director/  USAMSAA 
ATTN:  P.  Ellner 
AMXSY-RM 

Aberdeen  Proving  Gd/  MD  21005-5055 


A3D/EN  (PA) 

Wri ght-Patterson  AF8  OH  45433~65Q3 


WR-ALC/MMRRAH 
ATTN:  Ed  Fransioli 
Robbins  AFB/  GA  31098-5609 


US  Air  Force  Academy 
ATTN:  Capt.  James  A.  Doyless 
Deoartment  of  Management 
Colorado  Springs/  CO  80840-5941 


Naval  Underwater  Systems  Center 
ATTN:  Mandeep  Nehra 
Code  434/  3ldg.  102 
Newport/  R I  02341-5047 


0C-ALC/MMKR8 

ATTN:  John  Hertz 

Tinker  A F 8 /  OK  73145-5990 


Navy  Space  Program  Detachment 
ATTN:  Paul  F.  Babcock 
Code  32 

Warner  Robbins  AFB  GA  31088 


RADC/LW 

ATTN:  Lt  Col  Llska 
Griffiss  AFB  13441-5700 


Commander 

Naval  Air  Systems  Command 
ATTN:  John  Wilson 
Advanced  Platform  APML 
Washington  0C  20361-4110 

Industrial  Prod  Support  Office 
ATTN:  Kurt  Greene 
c/o  Defense  Logistics  Agency 
Cameron  Station 
Alexandria/  VA  22304-6183 


1 


Naval  Avionics  Center 
ATTN:  Gene  Keeler 
Code  B91 8 

6303  E  21st  Street 
Indianapolis*  IN  46219-2189 

USAFA  Reliability  Studies  Group  1 

ATTN:  Maj  R.  Sheldon 
Department  of  Mathematics 
US AF  Academy*  CO  80840-5000 


ASD/ ENE (GIMADS)  1 

ATTN;  D. F  Wilkerson 
Wright-Patterson  AFB  OH  45433-6503 


ESD/PLET  1 

ATTN:  Capt.  Mike  Newman 
Hanscom  AFB  MA  01731-5000 


AFIT/LSQ  1 

ATTN:  C«  Widenhouse 
Wright-Patterson  AFB  OH  45433-6583 


HQ  AFSPACECOM/LKYY  1 

ATTN:  Capt.  David  Wile 
Peterson  AFB  CO  80914-5001 


ESD/AVBA  1 

ATTN:  Larry  Kriger 
Hanscom  AFB  MA  01731-5000 


ESC/XPEN  1 

Attn:  Mr.  A.  Lopez 
San  Antonio  TX  78243 


The  Analytic  Sciences  Coro.  1 

Attn:  Mr.  James  Kelly 
1  Jacob  Way 
Reading*  MA  01867 


D  A  IN  A  Corporation  1 

Attn:  Janis  Pukite 
4111  Central  Ave.  N.E. 

Suite  212 

Columbia  Heights*  MN  55471 

DL-24 


Lockheed  Aeronautics  Systems 
Attn:  Bill  Ng 

Dept.  7072  Bldg  65  Plant  A1 

p.o.  Box  551 

Burbank/  CA  91520-7072 

AMSER  Corp. 

Attn:  Melanie  Crotty 
Suite  800 

1215  Jefferson  Davis  Huy 
Arlington  VA  22202 

Boeing  Aerospace  Corp. 

Attn:  William  Buckingham 
P.O.  Box  3999/  MS  2E-10 
Seattle/  WA  98124-2499 


University  of  Washington 
Attn:  Arun  Somani 
Dept,  of  electrical  Engineering 
Seattle/  WA  98195 


Northruo  Corp./B-2  Division 
Attn:  Clyde  Denison 
Li  03 / IN  Advanced  Projects 
3900  E.  Washington  BLVD 
Pico  Rivera/  CA  90660-3737 

Institute  for  Defense  Analysis 
Attn:  Mitch  Robinson 
Strategy/  Forces/  and  Resources  Div 
1301  N.  Beauregard  Street 
Alexandria/  VA  22311 

Boeing  Commercial  Airplanes 
Attn:  Tilak  Sharaa 
P.O.  Box  3707 
M/S  7Y-21 

Seattle/  WA  98124-2207 


MISSION 

°f 

Rome  Air  Development  Center 

RADC  plans  and  executes  research,  development,  test  and 
selected  acquisition  programs  in  support  of  Command,  Control, 
Communications  and  Intelligence  (C*I)  activities.  Technical  and 
engineering  support  within  areas  of  competence  is  provided  to 
ESD  Program  Offices  (POs)  and  other  ESD  elements  to 
perform  effective  acquisition  of  CSI  systems.  The  areas  of 
technical  competence  include  communications,  command  and 
control,  battle  management  information  processing,  surveillance 
sensors,  intelligence  data  collection  and  handling,  solid  state 
sciences,  electromagnetics,  and  propagation,  and  electronic 
reliability /maintainability  and  compatibility. 


